File name:

GSI-6.2.2.58.exe

Full analysis: https://app.any.run/tasks/78f96db0-b436-49fd-bc74-6e745d00d99c
Verdict: Malicious activity
Analysis date: August 30, 2024, 17:47:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DAB22F79095DB0106942A014B693FAA4

SHA1:

ADF3DCCA477303A93D0B7A4D39CF828629EE5B82

SHA256:

0AC40EE341258E380D1837B0A4A60D6C2CE26DE910DE9EC2D409365940AB39CF

SSDEEP:

196608:AmtPzyreXF67G5sKPQ4t0UBEZmXkehHOZbH:AmQreXAqJ5tbym09RH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 2232)
      • GetSystemInfo.exe (PID: 1156)
      • 7z.exe (PID: 7068)

    • Executable content was dropped or overwritten

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 2232)
      • GetSystemInfo.exe (PID: 1156)
      • 7z.exe (PID: 7068)

    • The process creates files with name similar to system file names

      • GSI-6.2.2.58.exe (PID: 5000)

    • Drops 7-zip archiver for unpacking

      • GetSystemInfo.exe (PID: 4880)
      • GetSystemInfo.exe (PID: 1156)
      • GetSystemInfo.exe (PID: 3852)

    • Process drops legitimate windows executable

      • GSI-6.2.2.58.exe (PID: 5000)
      • 7z.exe (PID: 7068)

  • INFO

    • Create files in a temporary directory

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 2232)
      • 7z.exe (PID: 6648)
      • GetSystemInfo.exe (PID: 3852)
      • GetSystemInfo.exe (PID: 1156)
      • 7z.exe (PID: 7068)
      • GSI.exe (PID: 208)

    • Checks supported languages

      • GSI-6.2.2.58.exe (PID: 5000)
      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 2232)
      • 7z.exe (PID: 6648)
      • GetSystemInfo.exe (PID: 3852)
      • 7z.exe (PID: 7068)
      • GetSystemInfo.exe (PID: 1156)
      • GSI.exe (PID: 208)

    • Reads the computer name

      • GetSystemInfo.exe (PID: 4880)
      • 7z.exe (PID: 2232)
      • 7z.exe (PID: 7068)
      • GetSystemInfo.exe (PID: 3852)
      • GetSystemInfo.exe (PID: 1156)
      • 7z.exe (PID: 6648)
      • GSI.exe (PID: 208)

    • Reads the machine GUID from the registry

      • GSI.exe (PID: 208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:05 09:49:37+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 130048
InitializedDataSize: 14144000
UninitializedDataSize: -
EntryPoint: 0x4ab1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 6.2.2.58
ProductVersionNumber: 6.2.2.58
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AO Kaspersky Lab
FileDescription: Kaspersky Get System Info
FileVersion: 6.2.2.58
InternalName: GSI.exe
LegalCopyright: © 2018 AO Kaspersky Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
OriginalFileName: GSI.exe
ProductName: Kaspersky Get System Info
ProductVersion: 6.2.2.58
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
12
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start gsi-6.2.2.58.exe getsysteminfo.exe 7z.exe conhost.exe no specs getsysteminfo.exe 7z.exe no specs conhost.exe no specs getsysteminfo.exe 7z.exe conhost.exe no specs gsi.exe no specs gsi-6.2.2.58.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exe" /FW40C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exeGSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Info
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\gsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\Parser.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
1168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2232C:\Users\admin\AppData\Local\Temp\x3rk.0\7z.exe x "C:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7z" -o"C:\Users\admin\AppData\Local\Temp\x3uw.0" -t7z -yC:\Users\admin\AppData\Local\Temp\x3rk.0\7z.exe
GetSystemInfo.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\x3rk.0\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3784"C:\Users\admin\Desktop\GSI-6.2.2.58.exe" C:\Users\admin\Desktop\GSI-6.2.2.58.exeexplorer.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
MEDIUM
Description:
Kaspersky Get System Info
Exit code:
3221226540
Version:
6.2.2.58
Modules
Images
c:\users\admin\desktop\gsi-6.2.2.58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3852"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\GSI.exe.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4880"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe" /unpack /format=7z /archivePath="C:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7z" /destinationPath="C:\Users\admin\AppData\Local\Temp\x3uw.0"C:\Users\admin\AppData\Local\Temp\x3uw.0\GetSystemInfo.exe
GSI-6.2.2.58.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Information
Exit code:
0
Version:
6.2.2.58
Modules
Images
c:\users\admin\appdata\local\temp\x3uw.0\getsysteminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
5000"C:\Users\admin\Desktop\GSI-6.2.2.58.exe" C:\Users\admin\Desktop\GSI-6.2.2.58.exe
explorer.exe
User:
admin
Company:
AO Kaspersky Lab
Integrity Level:
HIGH
Description:
Kaspersky Get System Info
Version:
6.2.2.58
Modules
Images
c:\users\admin\desktop\gsi-6.2.2.58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 303
Read events
1 303
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
10
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\avz.7z
MD5:
SHA256:
22327z.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exeexecutable
MD5:61D78BCD8D0904AFDDD4C33B52DA40BD
SHA256:676F722C421BDAD979CCEFCEB698DFE3539F4D9502BD7BEB0DC5B3147399E3DF
1156GetSystemInfo.exeC:\Users\admin\AppData\Local\Temp\xw4.0\7z.zipcompressed
MD5:AEFF0B53E94DD257177F9AD8BC3D1A18
SHA256:E548B67B049995B37A244AA272F9152FC8E4A5F42C24067226DC0F4081791838
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\LicAgreementDE.rtftext
MD5:6F78A110F286E6C62ACA59A0E0DE68D4
SHA256:092BD2CA37C152556AC7445460BF4F3E62D69E72431A31852A77B96BD0A3DBD9
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\Parser.7zcompressed
MD5:F4CBE07466D0021C698D421C5CA8F051
SHA256:E5C0AC0277491D4536D63BA46B02D7D33FC98A83CF39B3CA832B5D5B67CAB963
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\un_s.exe.7zcompressed
MD5:314C34DED7446B8D02552D1D104C345D
SHA256:D1BCC0D419DD00191D3DE1841CBE4AFE415527C087A2DB913A01B61EAD958925
66487z.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\Parser\Un\soft.txttext
MD5:536DDED2DE2D9A09422B8D515377991B
SHA256:BACBBB0EFC87BE7E9A318277176B63B48F890800DC30320C2364D071707BF5D4
66487z.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\Parser\Un\md5.txttext
MD5:889916720E802290D77ECDCB449C8998
SHA256:1890DDED6123122438ED7BDFA498E1DF644023076A36CB804835E39F5E403861
5000GSI-6.2.2.58.exeC:\Users\admin\AppData\Local\Temp\x3uw.0\LicAgreementFR.rtftext
MD5:67D51FD54D5ACD14EF35CA64B7A8D5AF
SHA256:A023EC7C6CE1BC6BCE124C8C153C4D87F599BFBE5848E2A6A71967D61E77F223
1156GetSystemInfo.exeC:\Users\admin\AppData\Local\Temp\xw4.0\7z.dllexecutable
MD5:EB85BBE8E5716EA0599D6F7C1D2FC9AE
SHA256:D546A0BE8BE9BC431C9BB87542478495A7693F686C5677405ACD9BBBAA2BBB5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6020
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6416
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6020
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GSI-6.2.2.58.exe